directory-dev mailing list archives

[jira] Created: (DIRSERVER-772) Credentials in server.xml is read as byte[], and is visible

Date

Sun, 05 Nov 2006 13:47:16 GMT

Credentials in server.xml is read as byte[], and is visible
-----------------------------------------------------------
Key: DIRSERVER-772
URL: http://issues.apache.org/jira/browse/DIRSERVER-772
Project: Directory ApacheDS
Issue Type: Bug
Reporter: Emmanuel Lecharny
The credentials declared in the server.xml files are read as a byte array during the server
initialization. Worst, it is visible to the mere mortal who has access to this file.
At this point, I don't think that storing a password in a configuration file is a good idea.
There should be a phase in installation where the password must be asked to the administrator,
and stored in the base, crypted, of course !
However, if we don't change that in the next version, we must fix the conversion from String
to byte[], because the user's default encoding may be different from UTF-8, which is the server.xml
file's encoding. The piece of code that read the credential is :
...
Object value = env.get( Context.SECURITY_CREDENTIALS );
if ( value == null )
{
credential = null;
}
else if ( value instanceof String )
{
credential = ( ( String ) value ).getBytes();
}
Here, we should have something like :
credential = ( ( String ) value ).getBytes( "UTF-8" );
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira